What Content Security Policy (CSP) do I need for Channels?

Simple CSP

Whitelisting `*.pusher.com` and `*.pusherapp.com` will allow all connections to our Channels service. This is slightly less restrictive than the below policy but is the quickest to implement, and will also ensure any future subdomains and linked functionality we introduce is not blocked. 

Advanced CSP

This list allows for a more fine-grained approach to defining your CSP.

If making use of the CDN (http:// or https://)
js.pusher.com
If on mt1 (main) cluster (ws:// or wss://)
ws.pusherapp.com
If on any other cluster (ws:// or wss://)
ws-[your-cluster].pusher.com
If on mt1 (main) cluster (http:// or https://)
sockjs.pusher.com
If on any other cluster (http:// or https://)
sockjs-[your-cluster].pusher.com


You would need to add ws/wss and http/https depending on whether you are encrypting your Channels connection. If you are using a cluster other than mt1 (main cluster) then you need to add the ID of that cluster where it says [your-cluster]. E.g. for cluster 'eu', you would need to add sockjs-eu.pusher.com. You can find out the cluster of your app on the dashboard

You will also need to turn off stats collection to prevent the connections to the stats endpoint from failing and subsequently logging an error to the console. 

Was this article helpful?
0 out of 1 found this helpful
Haven't found what you were looking for?
Submit a ticket